Cyber Defenders Eyeing Path to Attack Mode

Military cybersecurity officials said at MeriTalk’s Tenable GovEdge 2018 event on May 3 that they can focus more on taking the fight to adversaries if the private sector can continue to provide the military with strong network defense technologies.

Panelists discussing the issue centered on using the strengths of industry-made tools to defend government systems.

“It’s really about, how do you leverage industry to do what they do best? And you could argue that’s the cyber hygiene,” said William Marion, Deputy Chief of Information Dominance and Deputy Chief Information Officer for the Air Force.

Marion mentioned how the Air Force was “16 versions behind” on patching some of its software until moving the program to the cloud and taking advantage of industry’s patching capabilities. “Our push to industry is always ‘stop selling us a tool, sell us the service.’ We’ve got to have a lot of agility and speed with respect to rollout of tools,” Marion added.

While the pace of military acquisition can be a hurdle for collaboration, changes are on the way to improve that situation, panelists said.

“As we’ve introduced the risk management framework in the Department (of Defense), a lot of that intent was to be able to speed up the process by which we bring new capabilities in,” said Roger Greenwell, risk management executive for the Defense Information Systems Agency (DISA).

Greenwell pointed to reciprocity across DoD for assessments for cloud systems, and “bare bones reviews” to test products in lab environments. Nir Gertner, Chief Security Strategist for CyberArk, hit on the difficulty of acquisition for industry, and how compliance can only get both parties so far.

Panelists discussed the balance of compliance and readiness, and how it affects their capabilities, but all agreed that both are necessary.

“I think of compliance as setting the conditions to be ready,” said Col. Donald Bray, the Army’s Acting Director of Cybersecurity and Information Assurance. “A lot of the compliance is about what we’re doing, and how well we’re doing it. And when we come to readiness, we’re focusing on what the adversary is doing, and what they’re capable of doing.”

“You’ve got to flip the equation from a lot of compliance and a little bit of readiness, to a little bit of cyber hygiene and compliance and really focus on continuous monitoring,” said Marion.

And panelists hammered home the underlying theme of the day–the importance of freeing up capabilities to go on the offensive.

“We have to be able to impose a cost on our adversary when they attack our networks,” said Bray.

“In cyber, we have to have a credible deterrence as an ability to respond. That’s something we’re working aggressively on, but it is happening already,” said Dr. Mark Asselin, Defense Intelligence Officer for cyber issues at the Defense Intelligence Agency.